rolling_update: move mgr key creation

Until all the mons haven't been updated to Luminous, there is no way to
create a key. So we should do the key creation in the mon role only if
we are not part of an update.
If we are then the key creation is done after the mons upgrade to
Luminous.

Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1574995
Signed-off-by: Sébastien Han <seb@redhat.com>

diff --git a/infrastructure-playbooks/rolling_update.yml b/infrastructure-playbooks/rolling_update.yml
index 9216184cd5c1d9e7b641ff8ea9760b1c8de4fe94..1f7d2c982428710a02bf3a4f60da255c4f2a2c17 100644 (file)
--- a/infrastructure-playbooks/rolling_update.yml
+++ b/infrastructure-playbooks/rolling_update.yml
@@ -192,7 +192,43 @@
   become: True
 
   pre_tasks:
-    # this task has a failed_when: false to handle the scenario where no mgr existed before the upgrade
+    - name: non container | create ceph mgr keyring(s)
+      command: "ceph --cluster {{ cluster }} auth get-or-create mgr.{{ hostvars[item]['ansible_hostname'] }} mon 'allow profile mgr' osd 'allow *' mds 'allow *' -o /etc/ceph/{{ cluster }}.mgr.{{ hostvars[item]['ansible_hostname'] }}.keyring"
+      args:
+        creates: "{{ ceph_conf_key_directory }}/{{ cluster }}.mgr.{{ hostvars[item]['ansible_hostname'] }}.keyring"
+      changed_when: false
+      delegate_to: "{{ groups[mon_group_name][0] }}"
+      with_items:
+        - "{{ groups.get(mgr_group_name, []) }}"
+      when:
+        - not containerized_deployment
+        - "{{ groups.get(mgr_group_name, []) | length > 0 }}"
+
+    - name: container | create ceph mgr keyring(s)
+      command: "docker exec ceph-mon-{{ hostvars[groups[mon_group_name][0]]['ansible_hostname'] }} ceph --cluster {{ cluster }} auth get-or-create mgr.{{ hostvars[item]['ansible_hostname'] }} mon 'allow profile mgr' osd 'allow *' mds 'allow *' -o /etc/ceph/{{ cluster }}.mgr.{{ hostvars[item]['ansible_hostname'] }}.keyring"
+      args:
+        creates: "{{ ceph_conf_key_directory }}/{{ cluster }}.mgr.{{ hostvars[item]['ansible_hostname'] }}.keyring"
+      changed_when: false
+      delegate_to: "{{ groups[mon_group_name][0] }}"
+      with_items:
+        - "{{ groups.get(mgr_group_name, []) }}"
+      when:
+        - containerized_deployment
+        - "{{ groups.get(mgr_group_name, []) | length > 0 }}"
+
+    - name: fetch ceph mgr key(s)
+      fetch:
+        src: "{{ ceph_conf_key_directory }}/{{ cluster }}.mgr.{{ hostvars[item]['ansible_hostname'] }}.keyring"
+        dest: "{{ fetch_directory }}/{{ fsid }}/"
+        flat: yes
+        fail_on_missing: no
+      delegate_to: "{{ groups[mon_group_name][0] }}"
+      with_items:
+        - "{{ groups.get(mgr_group_name, []) }}"
+
+    # The following task has a failed_when: false
+    # to handle the scenario where no mgr existed before the upgrade
+    # or if we run a Ceph cluster before Luminous
     - name: stop ceph mgr
       systemd:
         name: ceph-mgr@{{ ansible_hostname }}

diff --git a/roles/ceph-mon/tasks/docker/main.yml b/roles/ceph-mon/tasks/docker/main.yml
index 8654cce08facd01533ae9d91000b4180f6e86b90..1e84410b3dd069d3e8ea92ac58f9d2e363c3bbe5 100644 (file)
--- a/roles/ceph-mon/tasks/docker/main.yml
+++ b/roles/ceph-mon/tasks/docker/main.yml
@@ -128,5 +128,6 @@
     when:
       - item.stat.exists == true
   when:
+    - not rolling_update
     - inventory_hostname == groups[mon_group_name]|last
     - ceph_release_num[ceph_release] >= ceph_release_num.luminous